Google’s 2017 Android Security Report Shines Light on ExpensiveWall

Google recently published its 2017 security report for the Android ecosystem, a comprehensive overview of the constantly evolving mobile threat landscape, which indicates that Trojans, spyware, and hostile downloaders account for a large portion of mobile threats today. Among the eight notable Android malware campaigns cited by Google in the report was ExpensiveWall, a malware discovered by Check Point mobile threat researchers and written about in this space in September 2017.


Google notes the technical sophistication of ExpensiveWall, and that unlike the other malware highlighted in the report, the outbreak was concentrated primarily in Europe. ExpensiveWall spread through 50 apps on Google Play, reaching between 5.9M and 21.1M downloads. The malware managed to infiltrate Google Play twice. After it was kicked out the first time, it returned in a packed version, allowing it to evade Google Play’s protections.


Figure 1: One of the malicious apps containing ExpensiveWall

This malware was dubbed “ExpensiveWall” because one of the apps it used to infect users was called ‘Lovely Wallpaper.’ ExpensiveWall registered victims to premium services without their knowledge; sent fraudulent premium SMS messages on their behalf, which then charged their accounts for fake ‘services;’ and also auto-clicks ads. Once a malicious app containing the ExpensiveWall code is downloaded, it requests several common permissions, including internet access, which allows the app to connect to its Command and Control (C&C) server. The malware proceeds to send data regarding the device to the attackers. Another permission requested by the malware is the SMS permission, which enables it to act on its malicious objective by sending premium SMS messages and registering the users for paid services.


The alarming part about ExpensiveWall and other malware of this kind are the many possible threats they can pose. Just as this version was used for premium SMS messages, an attacker can use the same infrastructure to capture pictures, record audio, and steal other sensitive data, then send the stolen information to its C&C server. Since the malware is capable of operating silently, it operates without the victim’s knowledge, turning ExpensiveWall into the ultimate tool for spying.


Employees and businesses should by now recognize that any malware attack is a severe breach of their mobile network, even if it starts out as a seemingly harmless adware. ExpensiveWall is further proof of the need to protect mobile devices against advanced threats.